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corkami.com 



1 file + 2 tools 
=^ 2 different documents 

No active detection in the file. 



abusing parsers for 



• fun 

• bypassing security 

o same-origin policy 
o evade detection 
o exfiltration 
o signing 

■ Android Master Key 




excerpt from Gynvael's talk: 

"Dziesi^c tysi^cy putapek: ZIP, RAR, etc." 

( http://qynvael.coldwind.pl/?id=523 ) 



ZIP 

trick 1 

a glitch in the matrix 



file names in ZIP 

a couple of files with the same name? 

update: 

for an awesome example see: 

Android: One Root to Own Them All 

Jeff Forristal / Bluebox 

( https://media.blackhatxom/us-13/US-13-Fom 



ZIP 

trick 2 

abstract kitty 



Let's start with simple stuff - 
the ZIP format 

A ZIP file begins with letters PK. 
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Let's start with simple stuff - 
the ZIP format 




WRONG 



ZIP - second attempt :) 



.zip file 

_L_ 



last 65557 bytes of the file 
the "header" is 
"somewhere" here 



r 
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PK\5\6. . . 
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ZIP - "somewhere" ?! 



4.3.16 End of central directory record: r ^ 

(0x06054b50) 



03 
_Q 

CN 
Osl 



end of central dir signature 
number of this disk 
number of the disk with the 
start of the central directory 
total number of entries in the 
central directory on this disk 
total number of entries in 
the central directory 
size of the central directory 
offset of start of central 
directory with respect to 
the starting disk number 



4 

2 



2 
4 



bytes 
bytes 

bytes 

bytes 

bytes 
bytes 



4 bytes 



.ZIP file comment 


length 2 


bytes 


.ZIP file comment 


(variable 


size) 



$0000-$FFFF 
0-65535 



Total: from 22 to 65557 bytes 

(aka: PK\5\6 magic will be somewhere between EOF -65557 and EOF -22) 



ZIP - looking for 



"From the START" 

Begin at EOF- 65557, 
and move forward. 









PK\5\6. . . 


1 1 



— I ' 

"somewhere" 



"header"? 



"From the END" 

(ZIPs usually don't have comments) 

Begin at eof-22, 
and move backward. 




"somewhere 



The show will 
continue in a 
moment. 




Larch 

Something completely different 



ZIP Format - LFH 



4.3.7 Local file header: 



local file header signature 
version needed to extract 
general purpose bit flag 
compression method 
last mod file time 
last mod file date 
crc-32 

compressed size 
uncompressed size 
file name length 
extra field length 

file name (variable size) 
extra field (variable size) 
file data (variable size) 
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2 
2 
2 
2 
2 
4 
4 
4 
2 
2 



bytes 
bytes 
bytes 
bytes 
bytes 
bytes 
bytes 
bytes 
bytes 
bytes 
bytes 



(0x04034b50) 



PK\3\4. . . LFH + data 



Each file/directory in a ZIP has LFH + data. 



ZIP Format - CDH 



[central directory header n] 




central file header signature 
version made by 

version needed to extract 
general purpose bit flag 
compression method 
last mod file time 
last mod file date 
crc-32 

compressed size 
uncompressed size 
file name length 
extra field length 
file comment length 
disk number start 
internal file attributes 
external file attributes 
relative offset of local header 

file name (variable size) 
extra field (variable size) 
file comment (variable size) 




4 bytes 
2 bytes 
2 bytes 
2 bytes 
2 bytes 
2 bytes 
2 bytes 
4 bytes 
4 bytes 
4 bytes 
2 bytes 
2 bytes 
2 bytes 
2 bytes 
2 bytes 
4 bytes 
4 bytes 



(0x02014b50) 



thanks to the 
redundancy you 
can recover LFH 

using CDH, or 
CDH using LFH 



Each file/directory has a CDH entry in the Central Directory 



ZIP - a complete 



C 

PK\3\4... LFH + data 




1 1 ' 

Files (header+data) 



\ 

List of files 
(and pointers) 



ZIP - a complete file (continued) 



PK\3\4. . . 




If the list of the files has pointers to files... 
... the ZIP structure can be more relaxed. 



ZIP - a complete file (continued) 
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PK\3\4... LFH + data 




PK\5\6. . .EOCD 



1 , ' 

file comment (variable size) 

You can even do an "inception" 
(some parsers may allow eocd (chd (lfh) ) ) 




And now back 
to our show! 

(we were looking 
for the EOCD) 



Larch 

Something completely different 



ZIP - looking for the "header"? 



(who cares...) 



"stream" 

Let's ignore EOCD! 



(it's sometimes faster) 
(99.9% of ZIPs out there can be parsed this way) 




| PK\3\4. . . LFH + data 


PK\3\4... LFH + data 


PK\3\4... LFH + data 




PK\5\6. . . 



11 



(single "files" in an archive) 



ZIP - looking for the "header"? 



(who cares...) 



"aggressive stream" 

We ignore the "garbage"! 

(forensics) 




PK\3\4... LFH + data 



PK\3\4... LFH + data 



PK\3\4... LFH + data 



PK\5\6. . . 



(single "files" in an archive) 



Let's test the parsers 
abstract.zip 



Abstract Painting Itittv 




is on en 



ICFlNHFlSCHEE2BURGER.COM ® £ ■£! 



abstract.zip 



yellow is a 
comment 
of the 
green 
archive 



LFH+data 



syntax breaker 



LFH+data 



LFH+data 



CDH 



EOCD 



stream 




aggressive 
stream 



start-first 



end -first 



abstract.zip 



from zipfile import ZipFile 
ZipFile( ,, abstract.zip ,, J "r"). 
printdir( ) 



Igynvael : haven - windows > zip . py 
Filejiame 
^readme EndFirst.txt 



abstract.zip 



<?php 

$za = new ZipArchive( ) ; 

$za->open( 'abstract.zip' ); 

for ($i=0; $i<$za->numFiles;$i++) { 

echo "index: $i\n"; 

pr int_r($za->st at Index ( $i ) ) ; 

echo "numFile:" . $za->numFiles . "\n"; 



gynvael: haven- windows > php zip.php 
index: 3 
Array 

( 

[name] 
[index] => 
[crc] => 543868170 
[size] => 259 
[mtime] => 312764400 
[comp_size] => 259 
[compmethod] => 6 

) 

numFile:! 



readme StartFirst.txt 



abstract.zip 



import java . io. FilelnputStream; 
import java . io. InputStream; 
import java . util. zip. ZipEntry; 
import java . util . zip. ZipInputSt ream; 



public class zip { 

public static void main(String args[]) throws 

java . io.IOExceptiorij java . io. FileNotFoundException { 
InputStream f = new FileInputStream("abstract . zip" ); 
ZipInputStream z = new ZipInputStream(f ) ; 



ZipEntry e; 

while((e = z .getNextEntry( ) ) != null) { 
System . out . print In (e . getName ( ) ) ; 

> 



■gynvael: haven- windows > java zip 
5readme_St ream . txt 



abstract.zip 



gynvael : haven -linux> binwalk abstract.zip 



DECIMAL 



HEX 



DESCRIPTION 



] 



0 

least vl.8 
ressed size: 
251 

least vl.8 
pressed size 
xt" 
680 

least vl*0 
ressed size: 
1367 

comment: 
1000 

least vl.0 
ressed size: 
1367 



ft 



0X0 

to extract . 
179 j namrf^ 
0xFB 
to extractj 
: 1059j name 

0x258 
to extractj 
259j name 
0x557 



0X3E8 
to extractj c 
231j name 
0x557 



i i l 



11 



Zip archive dataj at 
sscu size : 179j uncomp 
readme_Stream.txt" 

Zip archive dataj at 
ompres^ed size: 1059^ uncom 
^readme_AggressiveStream. t 

Zip archive dataj at 

ompresscd size: 259 j uncomp 
readme_StartFirst *txt^> 

End t>T Zip dPchive j 

Zip archive dataj at 
omprp^sed sizp- 231j uncomp 
readme_EndFirst*txt^> 

End or zip archive 



abstract.zip 



readme Stream.txt 


syntax breaker 


readme AggressiveStream.txt 


readme_StartFirst.txt 


CDH 




EOCD 






readme_EndFirst.txt 






CDH 






EOCD 











Total Commander 8.01 
UnZip 6.00 (Debian) 

Midnight Commander 
Windows 7 Explorer 
ALZip 

KGB Archiver 

7-zip 

bl.org 

Python zipfile 

DSZip 

C# DotNetZip 
perl Archive:: Zip 

Jeffrey's Exif Viewer 
WOBZIP 

GNOME File Roller 

WinRAR 

OSX UnZip 

zip. vim v25 

Emacs Zip-Archive mode 
Ada Zip-Ada v45 
Go archive/zip 

Pharo Smalltalk 2.0 ZipArchive 
Ubuntu less 
Java ZipFile 



abstract.zip 



readme Stream.txt 


syntax breaker 


readme AggressiveStream.txt 


readme_StartFirst.txt 


CD/-/ 




EOCD 






readme_EndFirst.txt 






CD/-/ 






EOCD 











PHP ZipArchive 

PHP zip_open . . . 

PHP zip:// wrapper 

tcl + tclvfs + tclunzip 



abstract.zip 



1 readme Stream.txt 1 


syntax breaker 


readme_AggressiveStream.txt 


readme_StartFirst.txt 


CDH 




EOCD 






readme_EndFirst.txt 






CDH 






EOCD 











Ruby rubyzip2 

Dava ZipArchivelnputStream 
java.util. zip. ZipInputSt ream 



abstract.zip 



readme Stream.txt 



syntax breaker 



readme_AggressiveStream.txt 



readme. 


_StartFirst.txt 


CDH 




EOCD 




readme 


_EndFirst.txt 






CDH 






EOCD 









binwalk (found all) 



abstract.zip - result summary 



readme Stream.txt 


syntax breaker 


readme AggressiveStream.txt 


readme_StartFirst.txt 


CDH 




EOCD 






readme_EndFirst.txt 






CDH 






EOCD 











Thanks! 

. Mulander 
. Felix Groebert 
. Salvation 
. jOOru 



abstract.zip - who cares? 

• verify files via End-First 

• unpack via Stream 

Oops. 



abstract.zip - AV 



El CAR test results (using VT): 

• most End-First 

• some Aggressive 

• Stream-only: 

o VBA32 

o NANO-Antivirus 

o Norman 

o F-Prot 

o Agnitum 

o Commtouch 



https://docs.gooq le,com/spreadsheet/ccc? 

kev=0Apv5AGVPzplOdDRPTFNJQXpaNkdiUzl4SE80c1kwdkE&usp=sharing 




http://voutu . be/J QrBq VRqqtc?t= 1 1 m 1 5s 
https://speakerdeckxom/ange/pdf-secrets- 



XPDF-1. 1 



m k u l ■ * i 1 • 1 1 • »* ' **• 



Hello World! 



1 8 obj 
<< 

/Pages 2 0 R 

>> 

endobj 

2 0 obj 
<< 

/Type /Pages 
/Count 1 
/Kids [3 0 R] 

>> 

endobj 

3 0 obj 
<< 

/Type /Page 
/Contents 4 6 R 
/Parent 2 6 R 
/Resources << 
/Font << 
/Fl << 
/Type /Font 
/Subtype /Type 1 
/BaseFont /Rrial 

>> 

>> 

>> 

>> 

endobj 



4 0 obj 

<< /Length 50 >> 

stream 

BT 

/Fl 118 Tf 
10 400 Td 
{Hello World!)Tj 

ET 

endstream 
endobj 

xref 
0 5 

0998600099 65535 f 
0800900818 08008 n 
0000000047 88000 n 
0090800111 80800 n 
0900900313 90000 n 

trai 1 er 
<< 

/Root 1 0 R 

>> 

startxref 

413 

%%E0F 




7.5.5 



File Trailer 



The trailer of a PDF file enables a conforming reader to quickly find the cross-reference table and certain 
special objects. Conforming readers should read a PDF file from its end. The last line of the file shall contain 
only the end-of-file marker, %%EOF. The two preceding lines shall contain, one per line and in order, the 
keyword startxref and the byte offset in the decoded str eam from the beginning of the file to the beginning of 



the xref keyword in th e last cross-re ferenc e section. [The startxref line shall be preceded by the trailer 



dictionary, consisting of the keyword trailer followed by a series of key-value pairs enclosed in double angle 
brackets! («■■■») (using LESS-THAN SIGNs (3Ch) and GREATER-THAN SIGNs (3Eh)). Thus, the trailer has 



the following overall structure: 

trailer 

« value-] 

key 2 value 2 
key n value n 

» 
startxref 

Byte_offset_of_last_cross-reference_section 
%%EOF 



% trailer <</Root 
trailer <</Root ... 
<</Root ...>> 



% trai ler <</R< 



trai 1 er <</Roo' 



<</Root ...>> 




sometimes, 
it's in the specs 

obscurity via over-specification? 



ft] hellnwnrld.pdf - AHnhe Reader 1=1 E 


File Edit View Window Help X 
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Hello World! 


T 



notice anything unusual? 



"5: hellowcrld.pdf - Acobe Re.,. a ® ^ 




Printer: PDFCreator 
Copies: ll 



Properties 



Advanced 



IZ] 



Pages to Print 

® All 

Current page 



Comments &. Forms 



Document and Markups 



Pages |l 
► More Options 

Page Sizing St Handling (i) 

Eg Size 



Summarize Comments 



Poster 



Multiple 



[°] Booklet 



lL.7x8.2fi Inches 



Size Options: 
©fit 

'.. • Actual size 

Shrink oversized pages 

O Choose paper source by PDF page size 

Orientation: 

Auto portrait-landscape 
Q Portrait 
(.) Landscape 

Want to print colors as gray & black? {!) 



Top Secret 



Page 1 of 1 



Page Setup,, 









Print 




Cancel 



WYSIWYG 



PDF Layers 1/2 



^ printme.pdf - Adobe Reader 









0 - Tools 


Sign 


Comment 



0 
3 



Layers 



□ 



[at Visible 



9 r 



Hello World! 



"Optional Content Configuration" 

• principles 

o define layered content via various /Forms 
o enable/disable layers on viewing/printing 

• no warning when printing 



Layer Properties 



Layer Name: JVisibk 



Intent: View (a) Reference 



Default state: Off 



□ Locked 



Visibility: Always Visible 



Print: Never Prints 



Export: Never Exports 



ExportState: OFF 
Punt 

PrintState: OFF 
Q View 

ViewState: ON 



• "you can see the preview!" 

o bypass preview by keeping page 1 unchanged 
o just do a minor change in the file 



PDF Layers 2/2 

• it's Adobe only 

o what's displayed varies with readers 

o could be hidden via previous schizophrenic trick 

• it was in the specs all along 

o very rarely used 
o can be abused 



BMP 

Trick 1 

(originally published in Gynvael's "Format BMP okiem hakera" article in 2008) 



bfOffBits 

Specifies the offset, in 
bytes, from the 
BUM A PFIL E HEADER 
structure to the bitmap 
bits 



offset 0 



FILE HEADER 

bfOffBits 



INFO HEADER 




offset N 



bfOffBits 

Specifies the offset, in 
bytes, from the 
BUM A PFIL E HEADER 
structure to the bitmap 
bits 

( MSDN ) 

• Some image 
viewers ignore 
bfOffBits and look 
for data 

immediately after 
the headers. 



offset 0 



FILE HEADER 

bfOffBits 



INFO HEADER 



PIXEL DATA 

(secondary) 




offset N 



PIXEL DATA 




Different images, depending on 
which pixel data is used. 



PIXEL DATA 

(secondary) 



outpiitbrnp - Universal Viewer 




0 



File Edit View Mode Options Help 



4" & D 



727 KB 31/05/2014 14:37:1< 



460x270, 24 BPP 



BMP 



Trick 2 

Something I've learnt about because it spoiled my steglOO 
task for a CTF (thankfully during testing). 



BMP compression & palette 

Run-Length Encoding (each box is 1 byte): 



Length 

>o 


Palette index 

(color) 




Length 

0 


RAW Length 

>2 


Palette Index 

(color) 


Palette Index 

(color) 


Length 

0 


End of Line 

o 




Length 

0 


End of Bitmap 

1 


Length 

o 


Move Cursor 

2 


X offset 


Y offset 



BMP compression & palette 

Question: If the opcodes below allow jump over pixels and 
set no data, how will the pixels look like? 



Hint: Please take a look at the presentation title :) 



Length 

0 


End of Line 

o 




Length 

0 


End of Bitmap 

1 


Length 

o 


Move Cursor 

2 


X offset 


Y offset 



Option 1 

The missing data will be filled with background color. 

(index 0 in the palette) 



File Edit Image Options View Help 



IB 



1/4 



There is nothing hidden here. 



640 x430 x8 BPP 1/4 100 % 41.40 KB / 301 .04 KB 2014-05-31 / 17:59:08 



Option 2 

The missing data will be black. 




:te ' - [d :'\code\gy nvae l\wyldady\ange\bnn p2\output2 b n p. 




File Edit Options Encoding Help 



Nothing at all. Really. 
Just this text below. 



No other secrets here. 
None at all. Nooo sir. 



Problem BMPs are 
coming from another 
world, aren't they? 



Option 3 

The missing data will be transparent. 

(HE 3 represents transparency) 




PNG 



a data schizophren 



image data combining 

• 2 images 

• via 2 palettes 

cute PoC by @reversity 

"There shall not be more than one PLTE chunk" 



Lister [imagine) - [tigercat.png" 



\sl S3 



File Edit Options Encoding Help 




□I 
□I 
□I 
□I 
□I 
□I 

ni 

□□□i 

□□□□□i 
□□□□□i 
□□□□i 



□□□□□□c 
□□□□□□□i 
□□□□□□□i 
□□□□□□□i 
□□□□□□□i 
□□□□□□□i 
nnnnnnni 
□□□□□□□i 
□□□□□□□i 
□□□□□□□i 
□□□□□□□i 
□□□□□□□i 

nnnnnnni 
nnnnnnni 
nnnnnnni 



innn 
mnn 
jnnn 

jnnn 

Innn 

mnn 
innn 

jnnn 



twork Graphics ,p 55% $ Default 



r "tiiriprr^"l" - inHnwc Phf~itr-i Vipwipr 
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different images depending on which PLTE chunk is used 



Relocations types 



Type 4 

HIGH ADJ 



Type 9 

MIPS_JMPADDR16 OO Kit f\A. Kit 

IA64JMM64 \J £- YJ I L \J I ~r U I L 

MACHINE SPEC 9 



Relocations on relocations 



u 1 C Y 



Type 4 

HIGH ADJ 



Type 9 

MIPS_JMPADDR16 OO Kit f\A. Kit 

IA64JMM64 V I L U I I 

MACHINE SPEC 9 



Type 1 0 

DIR64 



process 
Relocation 1 




do nothing 




modify 
Relocation 2 



/Relocation 2\ 



process 
Relocation 2 



type 9 




type 9 


32b 




64b 




Relocation-based PE Schizophren 



Follow us into the 
rabbit hole 



*u. *rt**« toil* i 



'Hello, World\n" 



IDA uses sections 



$. /hello 
dlroW ,olleH 



Kernel uses segments 




Julian Bangert, Sergey Bratus ~ ELF Eccentricities 
https://www.voutube.com/watch?v=4LU6N6THri2U 



GIF 



Something Gynvael stumbled on in 2008, 
but never made a PoC... until now. 
(with great input from Ange) 



GIF 



GIF can be made of many small images. 

If "frame speed" is defined, these are frames instead 
(and the first frame is treated as background). 



GIF 



Certain parsers (e.g. browsers) treat "images" as "frames" 
regardless of "frame speed" not being defined. 






Frame 1 



Frame 2 



Frame 3 



GIF 



Certain parsers (e.g. browsers) treat "images" as "frames" 
regardless of "frame speed" not being defined. 






Frame 1 



Frame 2 



Frame 3 



GIF 



Schizophrenic PoC: 




Frame 1 



Frames 2-10001 



Frame 10002 



1x1 px 



Lister - [d:\code\gynvaeJ\wykJady\an 




These apps render the GIF by the specs 



EN DC AT 



WILLENOKOUWOULL 



^ test.hti 




<- - C J file:///D:/code/g %. 



GOING TO THE MOON, BR 




procgfit3.gif - Paint 



iZZl 










Clipboard Image Tools Brushes Shapes 



Colo 




ENDCAT 

I WILL ENDYOU *ND ALL YOU UHt 



100% c-j 



procgfa3.gif - ManVlew 




File Edit Image Options View Help 



T6? 




320 x200 x8 BPP 4/4 100% 346.03 KB ,'63.54 KB 2014-06-02 / 00:12:01 204S 




These apps try to force animation. 



File Edit Select View Image Layer Colors Tools Filters Windows Help 

B , . , 1°. iw I"? I«P IMP, , i 
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yj$\ Tool Options 

Airbrush 

Mode 



a 



Normal 



Opacity 



_ 



2. HsrdrEii. DEO 



20.03 



Aspect R=t □ 



□ H 



9 



a 
® 




« r 



ENDCAT 

I WILL ENDTOU AND flLLVQll tjOTE 







100% 






px T 





2 ► * 



| Layers 



f Channels iC^' Paths 



Undo Hlstoiy 



a 



Mode: Normal 



Opacity 



<J5 

i 
J. 
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Frame 1.0002 
Frame L0001 
Frame LO000 
Frame 9999 
Frame 999£ 
Frame 9997 
Frame 999& 
Frame 9995 
Frame 9994 
Frame 9993 

Frame 999 1. 
Frame 9993 



Lz? 



□ 



GIMP says "frames", but allows one to see 
all the frames, which is nice. 
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Background 



D 



same-tool schizophrenia 

1 file + 1 tool = 2 behaviors 



it was too simple 

• WinRar: different behavior when viewing or 
extracting 

o opening/failing 
o opening/'nothing' 

• Adobe: viewing Sprinting 

o well, it's a feature 



Failures / Ideas / WIP 




Pantone 17-5641 
DCI-P3 
Adobe RGB 
sRGB 



I - ! — I — T 




Screen <=> Printer schizophren 
via color profiles? 



Failures / Ideas / WIP 



• screen <=> printer 

o embedded color profiles? 

• JPG 

o IrfanView vs the world 

• Video 

o FLV: video fails but still plays sound ? 



PNG 



Various ancillary chunks (rendering level) 

• partially supported: 

o gamma 

o transparency (for palettes) 

• never supported? 

o significant bits 
o chromacities 

• always supported? 

o physical size 



Conclusion 



Conclusion 



• such a mess 

o specs are messy 

o parsers don't even respect them 

• no CVE/blaming for parsing errors? 

o no security bug if no crash or exploit :( 



PoCs and slides: http://qoo.ql/Sfjfo4 



ACK 



@reversity @travisgoodspeed @sergeybratus 
qkumba @internot @pdfkungfoo 



@jOOru ise ds vx 



thank you 

@angealbertini 
@gynvael 




Bonus Round 

(not a fully schizophrenic problem in popular 
parsers, that's why it's here) 




Prezi SWF sanitizer 



Prezi allows embedding SWF files. 

But it first sanitizes them. 

It uses one of two built-in SWF parsers. 

There was a problem in one of them: 

• It allowed huge chunk sizes. 

• It just "jumped" (seeked) over these chunk... 

• ...which resulted in an integer overflow... 

• ...and this lead to schizophrenia. 

• As the sanitizer saw a good SWF... 

• ...Adobe Flash got its evil twin brother. 



Prezi SWF sanitizer 



SWF passed to the sanitizer: 



"good" SWF sent to sanitizer 

EOF 



t 



TAG: 1 
Len: 20 


(see below) J AG: J 1 
Len 6 


(see below) 


| TAG: 1 
I Len: -32 


fl byte padding 


hidden "evil" chunks 










TAG: 12 1 , . 

1 Len: 20 ] 


TAG: 1 
Lcr n lot 





TAG: 1 
Len: 20 



TAG: 1 
Len: a lot 



TAG: 1 
Len: -32 



8 byte paddl 



in 9 | 



hidden "evil" chunks 



:of 



20 bytes 

and its evil twin brother 
kudos to the sanitizer! 



this will 



TAG header 



TAG data or padding 



Fixed in Q1 2014. For details see: 

"Integer overflow into XSS and other fun stuff - a case study of a bug bounty" 
http://qvnvael.coldwind.pl/?id=533 



